Server Security: Answering the “Simple Questions”

Great post on TaoSecurity this week. The author, Richard Bejtlich, probably one of the top security experts in the US, discusses a conversation he had with on of his CISOs. Richard was asked, “Can you tell me when something bad happens to any of my 100 servers?” The remainder of the post is a flood of questions that Richard responds with.

Herein lays the problem. With each server that is live, you have several different angles of attack. Also, as the network grows in size, these attack options multiply. You have IP vulnerabilities, software vulnerabilities, OS vulnerabilities, security issues, and also the ever present human factor.

This is a lot to factor in when looking at defense. You may have network monitoring, automatic updates, automatic patching, and a great security policy, but what if your young admins are using simple passwords when installing the servers? What if the automatic updates aren’t? Is it in your policy to check the machines to see if the Alteris updates really did apply successfully? Can your analysis software sift through the flood of packet data and detect anomalies?

There are a lot of questions to ask and right now, the ball is still in the attacker’s court. The US like other countries is working on a “secure os” called Ethos. This should help leave a lot of OS issues behind. But even Ethos will be run on Virtual Machines, which means that the security of the host machine must be top notch.

As the cat and mouse game of security continues, one must wonder when the good guys will gain the upper hand. For as they say, where there is a will, there is a way.